ramnit | 738f2911f4786d927b4dc24f55edbbba8415cbcb7bb3c8fecbcea7cf4f170add

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_63da91ae47b722d57e5c1ae562c52241.dll
Size

510KB
MD5

63da91ae47b722d57e5c1ae562c52241
SHA1

7813d15aaa44edf7f1ddae94a8664f91eb1b17d0
SHA256

738f2911f4786d927b4dc24f55edbbba8415cbcb7bb3c8fecbcea7cf4f170add
SHA512

92b82f05685c8593713659c98db833342fbdb5041c82d641246dd4037441a427b5d1eb77b7cdb30b1b3202409fce2af346c36673985670f672aa1761e7089225
SSDEEP

12288:eLWrIYvqnklSYARvJYi3zStRBoN37KQGOMqWnGFH0hNWsb:eLWrTqkorRv2i+tRiN37tvHUIQ

Score

10^/10

ramnit banker defense_evasion discovery evasion persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\oaejiuxc\\wgvvsuhs.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wgvvsuhs.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wgvvsuhs.exe	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2704	rundll32mgr.exe
2372	olqquwjyhpxmvaoi.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	svchost.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	svchost.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
2236	rundll32.exe
2236	rundll32.exe
2704	rundll32mgr.exe
2704	rundll32mgr.exe
2704	rundll32mgr.exe
2704	rundll32mgr.exe
2704	rundll32mgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WgvVsuhs = "C:\\Users\\Admin\\AppData\\Local\\oaejiuxc\\wgvvsuhs.exe"	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1252	2236	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olqquwjyhpxmvaoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2704	rundll32mgr.exe
Token: SeDebugPrivilege	2704	rundll32mgr.exe
Token: SeSecurityPrivilege	1856	svchost.exe
Token: SeSecurityPrivilege	2780	svchost.exe
Token: SeDebugPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeSecurityPrivilege	2372	olqquwjyhpxmvaoi.exe
Token: SeLoadDriverPrivilege	2372	olqquwjyhpxmvaoi.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2236	2112	rundll32.exe	30
PID 2112 wrote to memory of 2236	2112	rundll32.exe	30
PID 2112 wrote to memory of 2236	2112	rundll32.exe	30
PID 2112 wrote to memory of 2236	2112	rundll32.exe	30
PID 2112 wrote to memory of 2236	2112	rundll32.exe	30
PID 2112 wrote to memory of 2236	2112	rundll32.exe	30
PID 2112 wrote to memory of 2236	2112	rundll32.exe	30
PID 2236 wrote to memory of 2704	2236	rundll32.exe	31
PID 2236 wrote to memory of 2704	2236	rundll32.exe	31
PID 2236 wrote to memory of 2704	2236	rundll32.exe	31
PID 2236 wrote to memory of 2704	2236	rundll32.exe	31
PID 2704 wrote to memory of 1856	2704	rundll32mgr.exe	32
PID 2704 wrote to memory of 1856	2704	rundll32mgr.exe	32
PID 2704 wrote to memory of 1856	2704	rundll32mgr.exe	32
PID 2704 wrote to memory of 1856	2704	rundll32mgr.exe	32
PID 2704 wrote to memory of 1856	2704	rundll32mgr.exe	32
PID 2704 wrote to memory of 1856	2704	rundll32mgr.exe	32
PID 2704 wrote to memory of 1856	2704	rundll32mgr.exe	32
PID 2704 wrote to memory of 1856	2704	rundll32mgr.exe	32
PID 2704 wrote to memory of 1856	2704	rundll32mgr.exe	32
PID 2704 wrote to memory of 1856	2704	rundll32mgr.exe	32
PID 2704 wrote to memory of 2780	2704	rundll32mgr.exe	33
PID 2704 wrote to memory of 2780	2704	rundll32mgr.exe	33
PID 2704 wrote to memory of 2780	2704	rundll32mgr.exe	33
PID 2704 wrote to memory of 2780	2704	rundll32mgr.exe	33
PID 2704 wrote to memory of 2780	2704	rundll32mgr.exe	33
PID 2704 wrote to memory of 2780	2704	rundll32mgr.exe	33
PID 2704 wrote to memory of 2780	2704	rundll32mgr.exe	33
PID 2704 wrote to memory of 2780	2704	rundll32mgr.exe	33
PID 2704 wrote to memory of 2780	2704	rundll32mgr.exe	33
PID 2704 wrote to memory of 2780	2704	rundll32mgr.exe	33
PID 2236 wrote to memory of 1252	2236	rundll32.exe	34
PID 2236 wrote to memory of 1252	2236	rundll32.exe	34
PID 2236 wrote to memory of 1252	2236	rundll32.exe	34
PID 2236 wrote to memory of 1252	2236	rundll32.exe	34
PID 2704 wrote to memory of 2372	2704	rundll32mgr.exe	35
PID 2704 wrote to memory of 2372	2704	rundll32mgr.exe	35
PID 2704 wrote to memory of 2372	2704	rundll32mgr.exe	35
PID 2704 wrote to memory of 2372	2704	rundll32mgr.exe	35

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63da91ae47b722d57e5c1ae562c52241.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63da91ae47b722d57e5c1ae562c52241.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1856
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Checks BIOS information in registry
      Drops startup file
      Impair Defenses: Safe Mode Boot
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\olqquwjyhpxmvaoi.exe
      "C:\Users\Admin\AppData\Local\Temp\olqquwjyhpxmvaoi.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 220
    3⤵
    - Program crash
    PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
98KB

MD5
74a5197ac9806264925ff1f140242796

SHA1
59d0483c59c6a4fca85e72d30e656623a5266146

SHA256
8e28eca59b2bcc9933a4024b3adc5feed52a4615bdbc379b39008dc67c5364ae

SHA512
63976bd04c033a97659cdb5517b5eaa9b6119c6ce84f78ff5882a047c9f9f9d26b52e86b95c0709bf8d89a2120e8afb887e87ba5cb69adb4660fb6392919ad89

Download Submit
memory/1856-34-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1856-38-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1856-39-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1856-28-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1856-32-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1856-33-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1856-22-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1856-24-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1856-37-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2236-4-0x0000000074A80000-0x0000000074B06000-memory.dmp

Filesize
536KB

Download
memory/2236-11-0x0000000000210000-0x000000000024B000-memory.dmp

Filesize
236KB

Download
memory/2236-10-0x0000000074A80000-0x0000000074B06000-memory.dmp

Filesize
536KB

Download
memory/2236-9-0x0000000074B10000-0x0000000074B96000-memory.dmp

Filesize
536KB

Download
memory/2236-1-0x0000000074B10000-0x0000000074B96000-memory.dmp

Filesize
536KB

Download
memory/2372-91-0x0000000000400000-0x000000000043A154-memory.dmp

Filesize
232KB

Download
memory/2704-69-0x0000000000400000-0x000000000043A154-memory.dmp

Filesize
232KB

Download
memory/2704-41-0x00000000775AF000-0x00000000775B0000-memory.dmp

Filesize
4KB

Download
memory/2704-16-0x0000000000400000-0x000000000043A154-memory.dmp

Filesize
232KB

Download
memory/2704-68-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2704-40-0x00000000775B0000-0x00000000775B1000-memory.dmp

Filesize
4KB

Download
memory/2704-66-0x00000000775B0000-0x00000000775B1000-memory.dmp

Filesize
4KB

Download
memory/2704-19-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-18-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2704-13-0x0000000000400000-0x000000000043A154-memory.dmp

Filesize
232KB

Download
memory/2704-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2704-77-0x0000000002810000-0x000000000284B000-memory.dmp

Filesize
236KB

Download
memory/2704-20-0x0000000000400000-0x000000000043A154-memory.dmp

Filesize
232KB

Download
memory/2704-78-0x00000000775AF000-0x00000000775B0000-memory.dmp

Filesize
4KB

Download
memory/2780-110-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-104-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-112-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-49-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-59-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-65-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-103-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-93-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-105-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-107-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-108-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-109-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-58-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-111-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-43-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download